How to Secure a WordPress Website and Protect from Brute Force Attacks: 13 Free Steps
WordPress is a popular content management system that is used by millions of websites. While it is a very user-friendly platform, it is also susceptible to brute force attacks. A brute force attack is when a hacker tries to guess your login credentials using automated software. In this blog post, we will discuss 10 ways to secure your WordPress website and protect yourself from these types of attacks!
Even a new website needs to take site security seriously. There is a common assumption that website security is taken care of by your host, I found out the hard way that this is not the case. You are responsible for your site’s security and new sites are the most vulnerable.
Small Doesn’t Mean Safe
Hackers know that new website owners are the least experienced in security matters and the least likely to secure their property. For a long time I fell into this camp, assuming that my site was to small to be worth attacking.
When I installed my first security plugin, I had it set to alert me each time there was an attempt to break into my site. I was getting dozens of emails every day and only luck had kept my site from being compromised.
Small Website Security
Hackers target small websites first because they have weaker security. Large websites often have full time security employees and the best paid security software. These are the sites hackers want to target, but they need your website’s help to get their.
Once a smaller website is compromised, it’s added to a botnet and used as a zombie in attacks on larger websites. You might not even know your website has been compromised. Rather than mess with your website’s content, the hackers just want to leverage your IP address and computing resources.
Want to get more blog subscribers and build your fan base? Download my free guide "Get Your First 100 Fans" Click here to get the guide.
The more sites they hack, the faster they can break into larger sites.
WordPress is The Most Popular Platform
All the conveniences of being on the largest platform come with a cost: being the target of more attacks. As we mentioned earlier, brute force attacks are one type of attack that WordPress websites are particularly susceptible to.
WordPress sites are the easiest to hack and convert into botnets because everything is organized the same. The software, login pages, file structures and secrity protocols are all identical. Once a hacker knows how to break into one WordPress site, it’s not that much harder to break into the next one.
In order to protect your site, please follow the following steps.
Pick a Strong Username
One of the first things you can do to secure your site is to choose a strong username and password. Do not use the default username of ‘admin’ or your first name, this gives a brute force attacker a massive advantage.
Earlier versions of WordPress gave every single administrator the same username and this became a massive vulnerability. If you set up your site back then, even if you updated your site, you are still vulnerable with an easily guessable username.
Your username should be a random set of numbers and letters. This makes your password literally impossible to crack. Use a password generator to create your username. Your password manager stores the username and password, so you don’t have to worry about forgetting them.
An attacker has to break your username and password and this combination makes that impossible.
Without knowing the username, the hacker has to work much harder to get a result.
Pick a Strong Password
Additionally, your password should be at least 12 characters long as this is where the math starts to work in your favor and passwords take years to crack. Anything shorter and your password is breakable.
Don’t Publish Using Your Main Profile
Losing control of your administrator account is one of the biggest security risks and it’s the goal of every hacker. With this step the goal is to make it harder for a hacker to even find an administrator account.
Create a second profile that only has author-level access to your site. After you write a new blog post, you simply assign that profile as the author. Even if an attacker breaks through your first level of security and learns that profiles username, they aren’t any closer to breaching your real layers of security.
At best they will brute force attack that profile that doesn’t have admin privileges. That profile is your public persona and has no access to sensitive data. Even if a hacker does manage to break into that account, they don’t have administrator privileges and can’t damage your site.
The author profile on my website doesn’t even have the ability to post anything, it has to be approved by the administrator account.
Hide Your Login Page
All wordpress websites use the same URL structure for login pages. Use a secure URL for your login page,
Change your login URL and tell WordPress not to show this page unless you type it into the address bar exactly. This page should be hidden from external crawlers and make it hard for a hacker to even know where to start their hack.
They can’t attack your website unless they know where to enter that username and password.
Limit Login Attempts
If someone walked up to you and guessed the wrong password ten times in a row, you’d know something is wrong and stop them. Unfortunately, computers don’t operate this way. Unless you tell WordPress to limit how many times someone can attempt to login, your website will let a hacker try millions of passwords and not even tell you that it’s happening.
Limit login attempts to a dozen or less. Set the lockout to only last ten minutes. This is a good balance between accessing your own site if you mistype your password and blocking a brute force attack that will drain your servers resources each time your site has to check if a password is correct.
Software that needs to try millions of passwords an hour simply doesn’t work with only 60 guesses per hour.
Activate 2-Factor Authentication
I know it’s annoying having to pull out your phone each time you want to log into your website, but this is one of the most effective security tools.
Most websites switch to 2FA right after they lose sensitive information to a hacker. Don’t wait until something bad happens to implement these security measures.
There’s a reason banks and financial institutions use 1FA. It’s very strong. Now someone can only break into your account if they get their hands on your physical phone.
The annoyance of adding 2FA to your site is equal to the level of protection that it adds.
Secure Your Website’s Server
Shared hosting means other users have access to the same server and this offers a vulnerability that we don’t often think about. If another user on the same server as you has a vulnerability, then your site is also at risk.
By using a secure host that specializes in WordPress hosting, you can be confident that they are keeping up with best practices and securing their servers. This means your website is less likely to be compromised by an attack on another site.
It’s tempting to find the cheapest website host for your site, but this comes with a price. If your website is surrounded by unsecured websites on the same server, you have a problem.
Check a host’s reputation before putting your business on their server.
Keep Your Site Updated
There are updates for my site nearly every day and I have to run those updates to keep my site secure. Your website is always online and that means you have to be an active owner. Set up a system or process to keep your website updated.
Each time a new vulnerability is discovered, WordPress is patched it’s to block malicious code. Themes and plugins are frequently updated for the same reason.
An outdated plugin is an unlocked door in the security of your website and can undo all the the hard word you’ve completed in the pervious steps.
Remove Abandoned Plugins
No more updates for a plugin doesn’t mean that it’s hit perfection, it usually means the developer has abandoned the project. I still see some big sites recommend plugins that have been abandoned for years. A plugin that’s no longer receiving updates only becomes more vulnerable over time as technology moves ahead and more exploits are found.
Business websites should never rely on abandoned tools. You update your operating system and anti-virus software on your computer because new loopholes are found all the time. Your website is even more vulnerable because it’s online twenty-four hours a day.
Pruning unused plugins will speed up your site and there’s no reason to leave anything on your website that you’re no longer using. Unused plugins just leave another possible entrance to your site open and you’re less likely to notice a breach since you don’t use that plugin. You won’t notice when it stops working.
Force HTPS in the Address Bar
HTTPS is a secure protocol that encrypts data between your website and the user. If you look at the top left corner, next to my web address, is a little icon that looks like a lock. That only appears when your browser is connected via HTTPS and has confirmed that my security certificate matches my domain. The lock means my website is secure.
Some browsers will show a red alert for websites that don’t have HTTPS and warn that your connection is not secure.
Activate Secure Sockets Layer
A few years ago, enabling HTTPS was really hard. You had to pay hundreds or even thousands of dollars to an SSL (secure sockets layer) certificate for your website’s server. Now there is a free service called Let’s Encrypt that provides a free SSL certificate. You just have to update the certificate every 90 days to maintain your status.
Most good website hosts will handle your SSL certificates automatically. If your host wants to charge a fee or makes it hard to switch to HTTPS, consider changing to host with better security services.
Once you have SSL activated on your website, you can force visitors to the HTTPS version of each page even if they try to visit the non-secure version of the page. My host, Kinsta, does this automatically. If your host doesn’t offer this option, there’s a plugin called Really Simple SSL that does all the work for you.
Protect Your Comments
A hacker is looking for a way to take advantage of your website visitors. If they can’t break into your website, ripping off your fans is the next best thing.
A bad link in a comment can hurt anyone who clicks on it. Someone might think that because you run a safe website, every single link in a comment is safe to click on.
Turn off automatic comment approval in WordPress and consider turning off links in all comments.
Use an antispam plugin like AntiSpam Bee to help you find bad comments that might look normal to the naked eye, but are actually doing something tricky.
Backup Regularly
Make automatic backups of your website. This way if you are hacked, you can quickly and easily restore your site to a previous secure version.
Want to get more blog subscribers and build your fan base? Download my free guide "Get Your First 100 Fans" Click here to get the guide.
Many web hosts make backups of their client websites, but don’t assume anything. Not every host does this and some only backup every thirty days. Ideally you want to keep seven daily backups, four weekly backups and twelve monthly backups. This way you should always have a backup that’s old enough to pre-date a hack.
There are a lot of great backup plugins for WordPress that will automate this entire process and store the backups on your cloud server for you.
Use a Security Plugin
Some of the steps mentioned in this article might seem a little difficult to implement, but a good security plugin will do all of the hard work for you. There are a lot of options for security plugins, but we recommend one that is lightweight and powerful.
iThemes Security
This is a strong security plugin that also won’t slow down your site and will handle most of the technical parts of protecting your site.
This plugin will:
- secure your login page with a CAPTCHA
- force strong passwords
- force two factor authentication
- scan for vulnerabilities
- block malicious IP addresses
- hide your login page
- limite login attempts
- notify you of attacks
Secure Your Computer
As the website owner, security issues are ultimately your responsibility. If you leave your password stuck to your computer monitor on a post-it note, it doesn’t matter how complicated that password.
You need to maintain local security in addition to your secure websites. Your computer should have a complicated password that nobody else knows and your phone needs a combination that’s more than four digits.
You can use a traditional password on your phone rather than just numbers and it becomes very hard to break your personal security.
Any device where you access your bank accounts, website or private information should at least have a complex password and antivirus software to prevent a local attack.
FAQ
Why do I need a secure website?
No matter how small your website, hackers start attacking it the moment you hit publish. Your website is a valuable asset and it contains sensitive information. By securing your website you are protecting your business, your customers, and yourself.
How do I secure my WordPress website?
Using a secure password, activating a security plugin and limiting login attempts are the first steps to securing your site. By following the rest of the steps in this blog post, you can secure your WordPress website and protect it from brute force attacks.
What are some of the best ways to secure a WordPress website?
Use a secure host, keep your site updated, remove abandoned plugins, and forcing HTPS. You can also secure your computer and protect your comments to secure your website. Finally, backing up regularly is a great way to secure your website.
Do hackers attack small websites?
Yes, hackers will attack small websites. In fact, small websites are often easier to hack because they may not have the same level of security as larger websites. This is why it’s important to secure your WordPress website, even if it’s small.
What do I do if my site has already been hacked?
If your WordPress website is hacked, you should take action immediately to secure your site and prevent further damage. You can start by restoring a backup of your website, if you have one. You can also change all of your passwords, secure your computer, and scan for vulnerabilities. Finally, you should contact your host to see how they can help you recover your lost data.
How can I check a website is safe?
If you want to check whether a website is safe, you can use a service like VirusTotal or Google Safe Browsing. These services will scan a website for malware and warn you if they find anything malicious. You can also check the Whois record of a website to see when it was created and who owns it. If anything looks suspicious, it’s best to avoid the website.
Your Site is Secure
Following these steps will help secure your WordPress website and protect it from brute force attacks. Your website is your business and you want a secure site. You don’t have to spend a lot of time or money and it should take less than thirty minutes to implement the steps listed in this guide.
If you don’t plan for the possibility of an attack, it can be devastating. I’ve lost entire websites because I wasn’t making backups and didn’t take security seriously. I don’t want that to happen to you.
The most surprising part of this entire process is how easy it is to protect your data. You don’t need to spend any money, hire a security professional or learn web design.
There are other types of attacks such as DDOS attacks and phishing emails, which I haven’t covered in this article. Those are less common for smaller websites and will be covered in other articles.
If there are any other types of attacks your want me to cover or security steps I missed, let me know in the comments.
Want to get more blog subscribers and build your fan base? Download my free guide "Get Your First 100 Fans" Click here to get the guide.